Electronic commerce and communication has heightened the need to provide better ways to manage trust when using networked computing systems. The availability of manageable security services such as user authentication, data confidentiality, and user accountability are essential for deploying trustworthy Internet-based services.
Research and development in the field of public key cryptography has been the greatest source of robust and scalable security protocol solutions. Public key cryptography is the basis for a number of popular digital signature and key management schemes. These include Diffie-Hellman key agreement and the RSA, DSA, and ECDSA digital signature algorithms. Public key algorithms are typically combined with other cryptographic algorithms (e.g. DES) and security protocols (e.g. SSL) to provide a wide range of sophisticated and scalable security services such as authentication, confidentiality, and integrity.
Public key cryptography uses a pair of cryptographic keys—one private and one public. Public key cryptography provides an elegant architecture for authentication and authorization, on any kind of communication channel. The Private key is kept secret and used to create digital signatures and decrypt encrypted messages. The public key of the user can be published and used by others to confirm the validity of a digital signature or to encrypt a message to the owner of the corresponding private key.
A public-key certificate binds a public-key value to a set of information that identifies an entity (such as a person, organization, account or site) associated with use of the corresponding private key. This entity is known as the “subject” of the certificate. The binding is certified by a certificate authority (CA) who issues a certificate that can be used by subject to assure other parties of the authenticity of a communication. The certificate is used by a “certificate user” or “relying party” that needs to assure them of the accuracy of the public key distributed via that certificate and that will be used to verify a message. Without such certification, the user cannot be sure that the public key is really the public key of the subject. A certificate user is typically an entity that is verifying a digital signature from the certificate's subject or an entity sending encrypted data to the subject. The degree to which a certificate user can trust the binding embodied in a certificate depends on several factors. These factors include the practices followed by the certification authority (CA) in authenticating the subject; the CA's operating policy, procedures and security controls; the subject's obligations (e.g. to protect the private key); and the stated undertakings and legal obligations of the CA, such as warranties and limitations on liability.
The CA which issues the certificates is frequently a software application running on a server and implementing a set of protocols and policies and administering the certificates that are issued. The certificate can be signed with an asymmetric cryptographic algorithm (using a digital signature) or authenticated with a symmetric system (using a message authentication code [MAC]).
Usually a CA is responsible for several tasks. These may include, without restriction:                Receiving certificate requests        Validating that the requesting entity has control of the private key matching the requested public key (proof of possession)        Validating the conformance of the request with local policy, including restrictions on identifying information, attribute information and/or keying material.        Modifying the request to create conformance with local policy        Validating the information in the request against external data sources        Determining if the request has been authenticated by the user or some other authority        Presenting the request for manual approval by an administrator or administrators        Signing or authenticating the certificate        Publishing the certificate to a central storage point or multiple storage points        Returning the certificate to the requestor        
With the dramatic increase in use of public key certificates there has been recognized a need for organizations to manage the security requirements for certificate issuing and management components. This need has evolved into what is termed a Public Key Infrastructure (PKI). A public key infrastructure (PKI) is commonly defined to be the set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, revoke and destroy certificates and keys based on public key cryptography, in a distributed computing system.
A certificate issuing and management system (CIMS) includes the components of the PKI that are responsible for the issuance, revocation and overall management of the certificates and certificate status information. A CIMS always includes a CA and may include Registration Authorities (RAs), a portal and other subcomponents.
A complete PKI has many components. These components are typically distributed throughout the Internet as well as within private enterprise networks. Like other network management and security components, PKI capabilities must exist to one degree or another on virtually all network clients, servers and underlying infrastructure components.
Public key infrastructure provides an efficient, scalable method of managing identity. The identity of people, devices and services can be efficiently conveyed and managed within distributed, heterogeneous network environments using PKI-based methods.
In order to be commercially viable a PKI should be able to provide a Standards-based PKI architecture, protocol interoperability arid security modeling; scalable performance and assurance to match project requirements, schedule and budget; support for rapid evaluation, customization and deployment efforts; highly-scalable and distributable registration system to match organizational needs. As the use of PKI infrastructures has increased and the number of protocols and possible configurations has increased there is a need for a system and method that minimizes PKI development, customization and deployment barriers-to-entry for Internet-based Secure Service Providers (e-commerce, banking, telecommunications); Operating System Vendors or Distributors; Independent Software Vendors (ISV); PKI System Integrators and Consultants; Trust Service Providers (TSP); Internet Service Providers (ISP); Application Service Providers (ASP); Enterprise Security Solution Providers. However, presently such infrastructure tends to be provided on a customized basis to meet particular specifications and does not readily provide the flexibility and adaptability required in current environments.
It is therefore an object of the present invention to obviate or mitigate the above disadvantages.